On Tue, Sep 22, 2015 at 02:03:09PM +0200, Michael Ströder wrote:
Michael Ströder wrote:
> Jakub Hrozek wrote:
>> On Mon, Sep 21, 2015 at 07:02:05PM +0200, Michael Ströder wrote:
>>> Is it possible to let sssd always fetch all user entries by using the
>>> dereference control on all visible groups?
>>> ldap_deref_threshold = 1 ?
>> Yes, this should do the trick with rfc2307bis or derivatives (IPA, AD,
> Hmm, I still see searches with filter
> sent by sssd (currently testing with 1.13.0, see config below).
> I had hoped to switch off user searches completely at least after initializing
> the cache. Do I have to tweak caching/enumeration parameters?
For the records:
It seems with enumerate = false the behaviour is more like what I want to achieve.
Ah, sorry, I missed that you're trying to use enumerate=true. Yeah, that
doesn't use deref, the code is actually much simpler:
* ldapsearch all users
* ldapsearch all groups
* establish the user-group memberships in the cache
At least if sssd queries the group entry first (caused by getent group name)
there is absolutely no query with filter (objectClass=posixAccount).
Yep, we search the group entry and then dereference its members.